If your business is like mine, a lot of folks to whom I owe money are insisting on the ability to automatically remove the money I owe them each month from our checking account (via an electronic process known as ACH, which is slower but much cheaper and easier to use than the old wire transfer method). At first, any loan I took out insisted that the lender be able to automatically withdraw my payments. Then my workers compensation company. Then certain vendor accounts. And of course my merchant processing companies are constantly shoving money in and out of my bank accounts.

In retrospect, I was far too sanguine about this situation. What finally caused me to abandon my sense of security was a libel lawsuit filed by one of my vendors over a bad review I wrote of their product [I won't mention the name here but I am sure anyone can figure it out with a simple search]. Anyway, I realized that this company, who was suing me for untold bazillions of dollars, actually had the right to freely jack whatever they wanted out of my checking account. What is worse, this same company is being sued by many companies for trying to take an arbitrarily high final payment out of their accounts at contract termination. Eeek! And this does not even include the possibility of outright fraud. I have ACH tools where if I have your bank's name and your account number, I could pull out money from your account without your ever knowing about it until you see it missing. I presume criminals could do the same thing.

Something had to be done, and it turned out that my bank, Bank of America, has something called ACH positive pay wherein nothing gets ACH'ed out of my accounts without my first approving the payments. I check a screen each morning and in 60 seconds can do the approvals for the day. They also have a very easy to use rules system where one can set up rules such that payments to certain vendors or for certain amounts don't need further daily approvals.

I presume most major banks have a similar product. It cost me some money but I feel way safer and encourage you to look into it if you are in the same situation.

Stan Jackson:

Once had a vendor try to withdraw over a million bucks from my account. Was supposed to be about $2,200. That account typically had about $5,000 to $10,000 in it, and never had more than $20,000. Everyone said they were sorry, but we were out of business for 3 or 4 days.

herdgadfly:

The banks that I have used for paying bills directly from my bank account have two kinds of payees - those paid by bank check and those paid by electronic transfer. If you want to pay bills you accept their rules. Obviously the bank gets paid extra by volume processors like utilities, credit card companies, and mortgage loan companies. I have never been offered a choice except to speed up a payment for a price.

CT_Yankee:

I frequently review and pay bills online with either a credit card or direct electronic transfer from my checking account. All of my utilities ask every single time to make the process completely automatic (they would produce a bill, take cash from one of my accounts, and only when everything else fell apart I would discover that they added a few zeros and emptied an account by accident). One of my insurance companies cashed a paper check, then did an electronic transfer for the same (large) amount, placing me deep in the red. Yes, it gets straightened out in a few business days, but better to review charges first and not have to deal with it at all. If my cell or cable company adds a new fee, I want to see it clearly, not have to discover later that I have been paying for months for something I never wanted. Every bill rates at least a human glance to ward off that computer error.

LP:

The European system (I think it's called SEPA) is much superior: you can authorize third parties to take out money from your account, but (1) any automated transfer can be reverted within 30 days, (2) you can set limits [up to xxx Euros per month], and (3) revoke the authorization at any time (this is because I cannot take money with just an account number, the account owner needs to authorize and that authorization can be revoked).

Orion Henderson:

I've often wondered about this myself. My bank wanted to set us up to do ACH to several vendors that we currently wire-the benefits were ease of use and low cost. But anyone who managed to get into our account online would have been able to direct money any dang place they pleased with no safeguards and anyone with our account numbers could have pulled money at will. So we canned it. Yes, we pay more and it's more of a hassle. But still...

ErikTheRed:

I've been paranoid about this for years, because one of my hats (it's a white one) requires me to look at systems and figure out how to break them. The way ACH payments works sort of makes my eyes bulge out of my head and ask deep questions like "Really?!??," "Seriously?!??," and make statements like "You have to be fucking kidding me." Hell, the other day the central bank of Bangladesh just got taken for $81 million in wire transfer fraud, and it would have been a cool billion if the miscreants involved hadn't made a typo on one of the transfers that triggered a rapid investigation (moral of this story: you do always double, triple, and quadruple-check your large wire transfers, right?).

It's not just ACH payments - anyone you wire money to (including international wires to countries with lower than average ethical standards) gets enough information to set up an unauthorized ACH transfer. All of my companies have at least one separate checking account dedicated to ACH transfers, and one has a separate account for international wires. The nice thing about these is that they're usually scheduled and for consistent amounts, so we can load them up with funds periodically which gives us some degree of protection. At a certain point I may split out certain ultra-critical functions like payroll into their own accounts. This adds a few minutes per month of extra accounting overhead, but in my opinion it's worth it.

Another best practice is to use a separate, dedicated computer for wire transfers. This computer should not have any software on it that's unnecessary for transferring funds (usually a web browser), be separately firewalled ("DMZ'd"), blocked from accessing on the Internet for anything except for banks and software updates, and blocked from the internal network(s) as well. This means no Active Directory, management software, *accounting software*, etc. - IT will have to walk over to it for maintenance. It should only be physically accessible to people authorized to send wires, and have the usual password and account best practices followed. Companies must also have the proper internal communication policies in place to prevent forged internal transfer requests ("CEO impersonation fraud"). These practices eliminate just about all of the avenues for wire transfer fraud, and they cost under $1,000 to set up. There's no excuse not to follow them.

The consumer analog to this is debit cards. Many banks are cool about handling debit card fraud, but every time I've dug into the legalese on these things it's said more or less that they "may" be cool about it rather than they "will" or "shall" be cool about it. Like many bank policies, this will sometimes come down to how much they like you as a person or a customer, especially for large amounts. Making nice with the management and team at your branch is a best practice anyway.

ErikTheRed:

We're currently looking at alternatives to the ACH system for our own inbound transfers that combine the convenience and extremely low transaction cost of ACH with better consumer protections - sort of splitting the difference between credit cards and ACH. Dwolla is one such system.

Darin Johnson:

LoneSnark:

After having a short battle across the ACH system, although it is possible my bank simply liked me and therefore took my side in the disagreement, but it seems all payment are liable for recourse if the account holder proclaims the charge was unauthorized in the opinion of the account holder. There was a standard form at my bank to reverse a ACH transaction, although it took a week. But we got the money back. No idea under what circumstances such forms fail to undo the ACH transaction.